Why You Shouldn't Trust Google's Free WiFi Network

Last week, Google unveiled plans to build a free wireless Internet zone in Chelsea, a New York City neighborhood. Pretty much every news report and social media conversation focused on the free WiFi, and how this would give people easy access to the Internet. There was no mention of the security issues.

Last week, Google unveiled plans to build a free wireless Internet zone in Chelsea, a New York City neighborhood. Pretty much every news report and social media conversation focused on how the free Wi-Fi would give people in the area easy access to the Internet.

"This neighborhood can now claim to be the first in Manhattan with totally free outdoor Wi-Fi," New York's Mayor Michael Bloomberg said at the press conference announcing the initiative on Jan. 9.

Security was missing from the conversation.

"Like most public Wi-Fi systems, the network is not secured, and communications over the network may be subject to interception by unauthorized third parties," according to the network's terms and conditions page. Users are responsible for their own security while using the network, and the Chelsea Improvement Company, Google's partner on the project, "expressly disclaims any responsibility or liability" for anything that may happen–loss of data or "unauthorized access"–as a result of the user not taking proper security measures.

"The Wi-Fi network is truly open. There is no signup process–users can simply connect to the network, and start browsing," George Townley, director of information systems at CIC, confirmed to SecurityWatch.

What About Security?"A free network that large is also going to draw in some criminal activity," Rick Westmoreland, a security analyst at Perimeter E-Security, told SecurityWatch.

Anyone who uses the free network in Chelsea should treat it the same as any other public Wi-Fi system and take the same precautions. They should stay away from sensitive Websites, such as logging into their email accounts or checking their bank balance, and stick with non-personal sites, such as checking the weather or reading the news. However, not everyone follows these recommendations when using a public hotspot.

"In a world of increasing connectivity, we should absolutely assume that consumers will perform the same types of financial and commercial transactions on free Wi-Fi networks as they would from a paid service or secure home network," David Britton, vice-president of industry solutions at 41st Parameter, told SecurityWatch.

Sniffing Out DataSecurity experts have long warned that people's data sent over open Wi-Fi could be intercepted. It could be an innocuous list of all the sites you visited, or potentially sensitive information such as login credentials to a website or service. Even CIC's terms and conditions page acknowledge the possibility of "unauthorized third parties" obtaining your data.

It's not that difficult to find the tools to sniff out data being sent over open networks, either. There "is an abundance of hacking tools," Paul Henry, a security analyst with Lumension, told SecurityWatch.

White Hat Security's Jerry Hoff pointed out that while most people connecting to an airport hotspot are in transit, a large number of users on a neighborhood network will be connecting from their homes. By monitoring this traffic and viewing "harmless" data, criminals or stalkers could determine if a particular person is home or not, Hoff said.

"The difference between using public Wi-Fi in transit versus in one's home is as great as someone watching someone in public versus watching someone day after day in their home or apartment," Hoff said.

When I asked CIC's Townley about the possibility of people connecting to the free network from their homes, he didn't seem overly concerned.

"Reliable connectivity is mostly outdoors, covering the sidewalks and public spaces in the neighborhood. Since that's the case, I'm not sure how many people will use the Wi-Fi to replace their primary ISP," Townley said.

PCMag.com previously reported that the network would be available to more than 2,000 residents living in Fulton Houses, a public housing project in Chelsea, along with more than 5,000 students living in the area. "Hundreds of workers, retail customers, and tourists who visit our neighborhood each day" will also be able to access the network, according to Google CIO Ben Fried. Based on those numbers, locals are likely to use the network more than visitors.

Man-in-the-Middle AttacksThere is nothing stopping someone else in the area from setting up a rogue access point to launch man-in-the-middle attacks, said Perimeter E-Security's Westmoreland. The official network ID is "CIC Free WiFi," so people seeing a similarly named network ID, such as "CIC Free Wifi2," may not recognize it as malicious. If a user connects to that rogue access point, all their network activity is visible to the owner of that network (hence the name "man in the middle") and are vulnerable to attack.

CIC has deployed a wireless intrusion prevention system (WIPS) to detect rogue access points and other attacks, Townley said. Google deferred all questions about the network to CIC.

CIC Wireless Network extends from Gansevoort St. and 19 St. from 8th Ave to the West Side Highway, and includes Chelsea Triangle, 14th Street Park, and Gansevoort Plaza (see coverage map). Someone can set up an access point with the exact same name a block or two away and trick users who may not know the actual network area into connecting.

"The best protection a person can use on a public network is a VPN (Virtual Private Network)," Fred Touchette, senior security analyst of AppRiver, told SecurityWatch. VPNs create an encrypted tunnel between the computer and the destination website, or network, so that all data being transferred are protected from eavesdroppers.

Eduard Goodman, chief privacy officer of IDentity Theft 911, said that while people had to be vigilant and aware of pickpockets while walking around the city 25 years ago, New York in 2013 has become safer. However, people still "need to recognize that avoiding being victimized today actually means keeping track of your connectivity to avoid being digitally pickpocketed," Goodman told SecurityWatch.

About the Author

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Inte... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.